MS Office exploit that targets MacOS X seen in the wild - delivers "Mac Control" RAT

March 27, 2012  |  Jaime Blasco

Continuing our research on Tibet attacks, we have found more Mac trojans and some interesting MS Office files that  deliver them. The group behind these attacks is the same we have been tracking for a while:

- [no longer available] AlienVault Tibet related Research now used to target Tibetan non-governmental organizations

The doc files seem to exploit MS09-027 and target Microsoft Office for Mac. This is one of the few times that we have seen a malicious Office file used to deliver Malware on Mac OS X.

A remote code execution vulnerability exists in the way that Microsoft Office Word handles a specially crafted Word file that includes a malformed record. An attacker who successfully exploits this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

When the victim opens the malicious Word file using Office for Mac, the shellcode writes the malicious payload on disk and executes it, and then opens a benign office file with the following content:

The first stage copies the payload to the __IMPORT section of dyld using memcpy:

push dword 0x1be #Payload size

push edx

push dword 0x8fe6f318

push dword 0x8fe6f318 ## dyld __IMPORT (rwx) mov ebx,0x8fe2e130 #memcpy

jmp ebx

The second stage writes necessary files to /tmp/ (bash file, benign doc file, binary) and then executes the bash script (/tmp/launch-hs):

fstat(0x2, 0xBFFF4CD0, 0x200)


fstat(0x24, 0xBFFF4CD0, 0x200)

lseek(0x24, 0x6600, 0x0) #File Offset on the doc file

open(”/tmp/launch-hs”, 0x602, 0x1FF)

open(”/tmp/launch-hse”, 0x602, 0x1FF)

open(”/tmp/file.doc”, 0x602, 0x1FF)

read(0x24, “#!/bin/sh /tmp/launch-hse & open /tmp/file.doc & ”, 0x32)

write(0x26, “#!/bin/sh /tmp/launch-hse & open /tmp/file.doc & ”, 0x32) ...





execve(0x28, 0xBFFF4B80, 0x0)

Bash file: /tmp/launch-hs:

#!/bin/sh /tmp/launch-hse & open /tmp/file.doc &

The only difference is the .pslist used:


Label Program





The C&C server this time is:

- : -

Black Oak Computers Inc - New York - 75 Broad Street

New York, NY, US

The second trojan found is a new one never seen. We have found several versions compiled for different architectures (ppc, i386..) .We have also found a version that has paths to debugging symbols:

/Developer/longgegeProject/Mac Control/MacControl V1.1.1/build/ Release/

/Developer/longgegeProject/Mac Control/MacControl V1.1.1/build/ Release/

So the group seems to have a project called “longgege” and the actual trojan is named “MacControl” by them.

The trojan performs the following actions:

- Copies itself into /Library/launched

- Creates /Users/{User}/Library/LaunchAgents/

This is the way to maintain persistence. The trojan will be executed when the computer starts.

- It then reads the configuration parameters that are at the end of the binary file:

  • - domain: - port: 80

- Establishes a connection to the host present in the configuration parameters.

-Sends some information about the victim, username, hostname, system version…


- The trojan will then wait for commands from the C&C.

The attackers can then send commands to the victim to open a remote shell, send files, receive files, delete files….

The C&C domain resolves to -

China Unicom Beijing province network

China Unicom

All the samples we have found have 0/0 rate antivirus detection, it includes the malicious doc files.

We will publish a technical analysis of the trojan capabilities and some tips to detect these threats. Stay tuned!

Thanks to Rubén Santamarta @reversemode for his help during the analysis.


Share this with others

Get price Free trial